KeeneticOS
CVE-2025-56007
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
CRLF-injection in KeeneticOS before 4.3 at "/auth" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page with exploit.
AnalysisAI
CRLF injection in KeeneticOS before version 4.3 enables full device takeover by exploiting the /auth API endpoint to inject crafted HTTP headers that create additional administrator-level user accounts. The attack requires social engineering the device owner into visiting a malicious page, after which the injected CRLF sequences manipulate the API response to silently add a full-permission user the attacker controls. No public exploit has been identified at time of analysis, though a detailed writeup is publicly available on GitHub, which significantly lowers the barrier to weaponization.
Technical ContextAI
KeeneticOS is the embedded Linux-based firmware powering Keenetic-brand home and SOHO routers (CPE: cpe:2.3:o:keenetic:keeneticos:*:*:*:*:*:*:*:*). CWE-93 describes improper neutralization of CRLF sequences - carriage return (\r, 0x0D) and line feed (\n, 0x0A) characters that HTTP parsers use to delimit headers. When user-supplied input containing these sequences reaches the /auth API endpoint without sanitization, an attacker can inject synthetic HTTP headers or body content into the response stream, effectively forging server-side API behavior. In this case, the injected payload abuses the user management flow to provision a new account with elevated privileges, exploiting the trust the router firmware places in its own API responses.
RemediationAI
The vendor-released patch is KeeneticOS 4.3, which resolves the CRLF injection in the /auth endpoint. Administrators should upgrade to version 4.3 or later via the Keenetic firmware update mechanism immediately; the advisory at https://keenetic.com/global/security#october-2025-web-api-vulnerabilities provides update guidance. As a compensating control prior to patching, disable remote web interface access from untrusted networks and restrict management plane access to trusted LAN segments only - this does not eliminate the attack if the victim is on the LAN, but significantly reduces the attacker's ability to stage the malicious page in a position where the router's /auth endpoint is reachable. Additionally, advise users not to browse general web content while authenticated to the router admin interface. Note that restricting web UI access may interrupt legitimate remote management workflows.
More in Keeneticos
View allStored cross-site scripting on the KeeneticOS 'Wireless ISP' page enables a physically proximate attacker to compromise
Cross-site request forgery in KeeneticOS before version 4.3 allows remote attackers to take over Keenetic routers by for
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today